Mac OS X tool sniffs out iOS contact-snoop apps

Security vendor Veracode has released a tool for Mac OS X (but not Windows) that detects any iOS app that could be sending its makers a user's contact lists and calendar data.

The aptly named, AdiOS, which apparently stands for Address book Detector for iOS, scans iOS apps in an iTunes directory to assess which ones access a device's address book.

The tool was released in response to the controversy brewing over the privacy boo-boo by social network Path, outed last week for having uploaded its users' entire contact lists without asking for their permission.

The company has since apologised for the practice and released an update that removes the feature. But while Apple has said Path violated its developer agreement, US lawmakers are now directing questions at Apple about the rigour of its controls and additional concerns that there is a "quiet understanding" amongst iOS app developers that its acceptable to collect and transmit those details.

Veracode's utility lets anyone concerned about this practice to identify an app that may have already done this by seeking out any app that contains a reference to an iOS API call that Apple provides developers, ABAddressBookCopyArrayOfAllPeople.

That doesn't mean apps ADiOS detects necessarily did what Path did, but the tool will flag which ones have the potential to do so, Veracode researcher Mark Kriegsman explained.

Kriegsman wrote that of the 450 iOS apps on his Mac, 50 appeared to call the API, including well-known apps as Angry Birds, an app from Citibank and several Google apps.
"A number of lesser-known games do it, too. Why do all of these apps need to dump my entire address book? The quantity of apps with this ability really caught us off guard," wrote Kriegsman.

On the than hand, he points out that many apps use this data for legitimate reasons, such as helping users maker connections, and that users shouldn't be surprised by the practice.

"Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone who’s been following mobile development or security research for mobile platforms," wrote Kriegsman.

Did Path breach Australia's Privacy Act?

Whether or not collecting user's contact data without permission is an accepted practice amongst developers misses the point, according to Stephen Wilson, a security consultant who operates the Australian business, Lockstep.

In the context of Australia's Privacy Act, Path and other app makers that actually collect the list almost certainly break the law, in particular if an app maker is taking a contact list, which he believes would be considered personal information (PI), and doubly-so if it's done without permission.

"If PI gets into a company's system, then they have collected it. No ifs, no buts. PI taken from the public domain is still counted as a Collection," Wilson told cso.com.au by email.
"Now when an app calls up the contact list, an important legal-technicality will be whether an organsiation somewhere up the line is taking the PI from the app.

"I think that if some weird app made the function call but did nothing more with the PI is probably not breaching the law. The PI needs to be collected by an entity."

Phone lists might just be a collection of names and numbers, but Wilson argues they are also "rich with descriptors", which may detail the relationship of the contact with the owner, for example, "shrink" or "abortion clinic".

"If a phone owner happened to work at a Women's Refuge or was a psychiatrist, then the address list is dynamite."

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.